Forum Discussion
John_McCulloch
Nimbostratus
NimbostratusBlocked 'Reverse Connections'
Hi all, Recently we have ran into an issue with connections that involved our BIGIP devices and client server connections when there is a firewall as man in middle. The issue that is seen prese...
John_McCullochNimbostratus
NimbostratusThanks for the response, unfortunately we are not using fastl4.
In regards to the TIME_WAIT, I did look down this path and they do seem to have a longer setting compared to the F5. Interestingly it does seem to be the F5 client side of the VS's that are having the issues, servers side seems to close 4 way without as many issues.
I have noticed that the F5s are responding to the FIN's sent with double ACKS. The client generally seems to be responding to this with a RST closing one half of the connection. I will look further into the KA's above and see if there is anything else I have missed though.
Just a quick addition for clarification, these reverse connection are not new connections they seem to be the tail end of already existing/closing connections.
Nikoolayy1
MVP
MVPMaybe it is better that you are not using fatl4 as I mentioned with normal standard vip you selected you customize the Time_Wait of the normal tcp profiles. You can also use "show sys connection" fulter by VS and do it outside working hours to see if the connections are in Time_Wait. My issue was the servers entering time_wait and I saw this with netstat -an on the server pool members.
https://support.f5.com/csp/article/K40033505
https://support.f5.com/csp/article/K53851362
Also you may test using diffent optimized tcp profiles for the client-side and server-side (wan-optimized for the clienside and lan-optimized for the serverside for example):